The SitePoint Forums have moved.

You can now find them here.
This forum is now closed to new posts, but you can browse existing content.
You can find out more information about the move and how to open a new account (if necessary) here.
If you get stuck you can get support by emailing forums@sitepoint.com

If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

session_unset() or session_destroy() ?

I'm researching sessions and how to create and end them.
I've come to the part where someone would want to log out and not have someone else on the same computer be able to instantly continue their session.

Which should I use, unset or destroy?

They both seem to do a similar job so I don't know which is more appropriate.

And what would I want to store as a variable apart from the username?

I'll be attempting to integrate the session handling with a mysql database (Haven't got that far in the book yet though )

Unset will just unset (remove the variable) the particular session variable(s) but destroy will (the word itself describes) destroy all the sessions that means all the session variables will be removed/deleted. And if you want some session again then you need to restart the session. So what is your need? If you just want to unset a session variable (which can also be used in case of user logout) then go for unset function and pass the session variable(s) to it. Or if u don't want to have anything then go for session_destroy().

I am not sure in your particular case here that for what purpose you are using sessions. But there might be some cases that you want to store some values in the sessions even after the user logs out. If you don't have anything to do with sessions after user logs out then you can just destroy the session.

Session should be maintained till the user is at the site. For example, a user who selects items in shopping cart without loggin in wish to checkout at the end. There the session will be necessary irrespective of the login Id.

I'm researching sessions and how to create and end them.
I've come to the part where someone would want to log out and not have someone else on the same computer be able to instantly continue their session.

Which should I use, unset or destroy?

They both seem to do a similar job so I don't know which is more appropriate.

And what would I want to store as a variable apart from the username?

I'll be attempting to integrate the session handling with a mysql database (Haven't got that far in the book yet though )

$_SESSION = array(); probably does what you want as well.

Think about it like this:

session_start() checks to see if there is a session id, and if not creates one (in a browser cookie by default). It then has a way to identify the browser when it requests a page - note: not a user, a browser.

For example, let's say php set the session id as r2d2. When that browser requests another page, php goes "oh hey, it's r2d2, let me load his file". The file is the $_SESSION array.

Now perhaps r2d2 logged out, and c3p0 started using the computer. When r2d2 logged, you would clear the "file", either through destroy, unset, or simply $_SESSION = array(). The session id (r2d2) is still there, none of those will clear it, for that you have to clear the cookie. However that doesn't really matter; there is no data left that means anything. The "file" for R2d2 is blank, so he can easily log on again as c3p0, in which case you create a new "file" (the $_SESSION array) for the new user. The session id just marks the browser.

Not quite, when you call session_start(), a cookie is created for the browser. Regardless of logged in.

The $_SESSION array is stored on the server, and php associates the cookie value with a particular $_SESSION.

When the user logs in you store data in the $_SESSION array to identify them.

So on logout, you can just clear the server side data: $_SESSION = array(); (or destroy etc), and the browser cookie (session id) will no longer be associated with any data that identifies the user in your system.

The cookie will still exist, session_destroy() won't remove it, but it's just a random string identifying the browser. Another user can login with the same cookie, and you would simply assign their details to $_SESSION.

//Start Session
session_start();
//If the username and password are set by the form, then the uid and pwd are values are derived from there, otherwise, they're taken from the session
$uid = isset($_POST['username']) ? $_POST[username'] : $_SESSION['uid'];
$pwd = isset($_POST['password']) ? $_POST['password'] : $_SESSION['pwd'];
$_SESSION['uid'] = $uid;
$_SESSION['pwd'] = $pwd;

When someone clicks logout, all just assign the session_destroy() to the click event.

Will the above code be enough to maintain a session? What else should I be considering? I know I need to put a condition in to say if there is no session information from a filled in form or from an already existing session, they should be presented with a login form, but what else in terms of simply making a session work?

And is it correct that I should put the session.auto_start, session.name etc into the php.ini file?

//Start Session
session_start();
//If the username and password are set by the form, then the uid and pwd are values are derived from there, otherwise, they're taken from the session
$uid = isset($_POST['username']) ? $_POST[username'] : $_SESSION['uid'];
$pwd = isset($_POST['password']) ? $_POST['password'] : $_SESSION['pwd'];
$_SESSION['uid'] = $uid;
$_SESSION['pwd'] = $pwd;

When someone clicks logout, all just assign the session_destroy() to the click event.

Will the above code be enough to maintain a session? What else should I be considering? I know I need to put a condition in to say if there is no session information from a filled in form or from an already existing session, they should be presented with a login form, but what else in terms of simply making a session work?

And is it correct that I should put the session.auto_start, session.name etc into the php.ini file?

for portability just put session_start(); at the top of every page or in an include.